JWT Debugger & Decoder
Decode Bearer tokens securely — no server involved, no token logging.
Encoded Token
Header (Algorithm)
Payload (Data)
Security: This tool only decodes (reads) the Base64 header/payload. It does not verify the cryptographic signature. Never share production tokens.
JSON Web Token (JWT) Structure
A JWT consists of three Base64URL-encoded sections separated by dots: Header.Payload.Signature.
- Header — declares the signing algorithm (e.g., HS256, RS256) and token type.
- Payload — contains claims: who the user is (
sub), when the token expires (exp), and custom application data. - Signature — a cryptographic hash that proves the token was not tampered with. Only the server with the private key can verify this.
FAQ
Why does my token show strange characters? Base64URL uses - and _ instead of + and /. This tool handles that substitution automatically.
Can this verify the signature? No — signature verification requires access to the server's private key or public certificate, which stays server-side for security.